On Wed, 2023-04-05 at 16:45 -0700, Sean Christopherson wrote:
> Per Intel's SDM, unsupported ENCLS leafs result in a #GP, not a #UD.
> SGX1 is a special snowflake as the SGX1 flag is used by the CPU as a
> "soft" disable, e.g. if software disables machine check reporting, i.e.
> having SGX but not SGX1 is effectively "SGX completely unsupported" and
> and thus #UDs.
If I recall correctly, this is an erratum which can clear SGX1 in CPUID while
the SGX flag is still in CPUID?
But I am not sure whether this part is relevant to this patch? Because SDM
already says ENCLS causes #UD if SGX1 isn't present. This patch changes
"unsupported leaf" from causing #UD to causing #GP, which is also documented in
SDM.
>
> Fixes: 9798adbc04cf ("KVM: VMX: Frame in ENCLS handler for SGX virtualization")
> Cc: Binbin Wu <binbin.wu@xxxxxxxxxxxxxxx>
> Cc: Kai Huang <kai.huang@xxxxxxxxx>
> Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
> ---
> arch/x86/kvm/vmx/sgx.c | 15 +++++++++------
> 1 file changed, 9 insertions(+), 6 deletions(-)
>
> diff --git a/arch/x86/kvm/vmx/sgx.c b/arch/x86/kvm/vmx/sgx.c
> index f881f6ff6408..1c092ab89c33 100644
> --- a/arch/x86/kvm/vmx/sgx.c
> +++ b/arch/x86/kvm/vmx/sgx.c
> @@ -350,11 +350,12 @@ static int handle_encls_einit(struct kvm_vcpu *vcpu)
>
> static inline bool encls_leaf_enabled_in_guest(struct kvm_vcpu *vcpu, u32 leaf)
> {
> - if (!enable_sgx || !guest_cpuid_has(vcpu, X86_FEATURE_SGX))
> - return false;
> -
> + /*
> + * ENCLS #UDs if SGX1 isn't supported, i.e. this point will be reached
Why #UDs instead of #UD? Is #UD a verb?
> + * if and only if the SGX1 leafs are enabled.
> + */
Is it better to move "ENCLS #UDs if SGX1 isn't supported" part to ...
> if (leaf >= ECREATE && leaf <= ETRACK)
> - return guest_cpuid_has(vcpu, X86_FEATURE_SGX1);
> + return true;
>
> if (leaf >= EAUG && leaf <= EMODT)
> return guest_cpuid_has(vcpu, X86_FEATURE_SGX2);
> @@ -373,9 +374,11 @@ int handle_encls(struct kvm_vcpu *vcpu)
> {
> u32 leaf = (u32)kvm_rax_read(vcpu);
>
> - if (!encls_leaf_enabled_in_guest(vcpu, leaf)) {
> + if (!enable_sgx || !guest_cpuid_has(vcpu, X86_FEATURE_SGX) ||
> + !guest_cpuid_has(vcpu, X86_FEATURE_SGX1)) {
> kvm_queue_exception(vcpu, UD_VECTOR);
... above here, where the actual code reside?
> - } else if (!sgx_enabled_in_guest_bios(vcpu) || !is_paging(vcpu)) {
> + } else if (!encls_leaf_enabled_in_guest(vcpu, leaf) ||
> + !sgx_enabled_in_guest_bios(vcpu) || !is_paging(vcpu)) {
> kvm_inject_gp(vcpu, 0);
> } else {
> if (leaf == ECREATE)
> --
> 2.40.0.348.gf938b09366-goog
>
